Article 15 A commercial bank shall formulate a comprehensive information technology risk management strategy, including but not limited to the following areas:
(1) information classification and protection.
(2) Information system development, testing and maintenance.
(3) Information technology operation and maintenance.
(4) Access control.
(5) personal safety.
(6) personnel safety.
(7) Business continuity plan and emergency response.
Article 16 A commercial bank shall formulate a continuous risk identification and evaluation process, determine the areas where there are hidden dangers in information technology, evaluate the potential impact of risks on business, rate risks, and determine the priority levels of risk prevention measures and required resources (including outsourcing suppliers, product suppliers and service providers).
Article 17 Commercial banks should implement comprehensive risk prevention measures according to information technology risk management strategies and risk assessment results. Preventive measures should include:
(1) Formulating clear information technology risk management systems, technical standards and operational procedures, etc. , and regularly updated and publicized.
(2) Identify potential risk areas and conduct detailed and independent monitoring of these areas to minimize risks. Establish an appropriate control framework to check and balance risks; Define the control content of each business level, including:
1. Review of the most privileged user.
2. Control physical and logical access to data and systems.
3. Access authorization is based on the principles of "need to know" and "minimum authorization".
4. Approval and authorization.
5. Verification and reconciliation.
Article 18 A commercial bank shall establish a continuous information technology risk measurement and monitoring mechanism, including:
(A) the establishment of information technology projects before and after the implementation of the evaluation mechanism.
(2) Establish procedures and standards for regularly checking system performance.
(three) the establishment of information technology service complaints and accident reporting mechanism.
(four) the establishment of internal audit, external audit and supervision found problems rectification mechanism.
(5) Arrange suppliers and business departments to regularly review the completion of service level agreements.
(six) regularly assess the possible impact of the development of new technologies and the new threats faced by the software used.
(seven) regularly check the operational risk and management control in the business environment.
(eight) regularly assess the risk status of information technology outsourcing projects.
Article 19 Chinese-funded commercial banks and institutions established overseas by domestic and foreign-funded commercial banks shall abide by the requirements of domestic and foreign regulatory agencies for information technology risk management and guard against risks caused by regulatory differences.